aspx页面与MVC中的跨站点请求伪造攻击？ [英] Cross site request forgery attack in aspx page vs MVC ?

问题描述

aspx页面对MVC的跨站点请求伪造攻击？



根据我的理解，CSRF攻击是客户端攻击，会强制用户运行如果我在我的按钮上执行服务器端操作，请单击aspx页面，攻击者如何运行此脚本？那就是如果我的网站在asp按钮点击上进行一些资金转移，攻击者如何在点击按钮时运行这个CSRF脚本？如果我使用GET和POST方法处理这个请求我认为攻击者可以在这里做CSRF但是如何处理asp按钮点击事件。？

在mvc中我们正在按钮提交所以我认为可能。

可以解释一下吗？

Cross site request forgery attack in aspx page vs MVC ?

As per my understanding CSRF attack is a client side attack which will force the user to run piece of script.If am doing server side actions on my button click in aspx page, how do attackers can run this script? that is if my site is doing some fund transfer on asp button click , how attackers can run this CSRF scripts on button click ? if am handling this request using GET and POST method i think attackers can do CSRF here but how do with asp button click event.?
In mvc we are doing button submit so it may be possible i think.
Could any one explain this ?

推荐答案

CSRF 攻击 [ ^ ]是恶意攻击网站将您的API /服务与自己的数据结合使用。如果客户端会话有效，则会发出此恶意请求。



让我们假设一个好的站点A和一个坏的站点B.



用户在浏览器上打开网站A并进行一些交易。

当此窗口仍然打开时，用户A访问网站B.

站点B有一些'讨厌'的JavaScript，它向站点A发布请求。

由于A的会话在浏览器中仍然有效，站点B可以访问站点A的API并执行他们想要的任何操作。



为避免这种伪造攻击，可以使用令牌。



有关如何防止这些攻击 -

http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages [ ^ ]

Hack证明您的ASP.NET应用程序第3部分（跨站点请求伪造） [ ^ ]

CSRF attacks[^] are attacks in which malicious websites use your API / service with their own data. If the client session is valid, this 'malicious' request will go through.

Lets assume a good site A and a bad site B.

User opens site A on the browser and does some transaction.
While this window is still open, user A visits site B.
Site B has some 'nasty' JavaScript which posts a request to site A.
Since session for A is still valid in the browser, site B could gain access to site A's API and do whatever they want.

To avoid this kind of forgery attacks, a token can be used.

Some information on how to prevent these attacks -
http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages[^]
Hack Proof Your ASP.NET Application Part 3 (Cross Site Request Forgery)[^]

这篇关于aspx页面与MVC中的跨站点请求伪造攻击？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！